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ABSTRACT 

This  paper  describes  algorithms  for  factoring  a  polynomial  xn  one  or 
more  variables,  with  integer  coefficients,  into  factors  which  are  irreducible 
over  the  integers.  These  algorithms  are  based  on  the  use  of  factorizations 
over  finite  fields  and  "Hensel's  Lemma  constructions.  "  "Abstract  algorithm" 
descriptions  are  used  in  the  presentation  of  the  underlying  algebraic  theory. 
Included  is  a  new  generalization  of  Hensel's  p-adic  construction  which 
leads  to  a  practical  algorithm  for  factoring  multivariate  polynomials.  The 
univariate  case  algorithm  is  also  specified  in  greater  detail  than  in  the 
previous  literature,  with  attention  to  a  number  of  improvements  which  the 
author  has  developed  based  on  theoretical  computing  time  analyses  and 
experience  with  actual  implementations. 
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MULTIVARIATE  POLYNOMIAL  FACTORIZATION 
David  R.  Musser* 

1 .  Introduction  and  basic  concepts. 

This  paper  presents  algorithms  for  factoring  a  given  polynomial  in  one 
or  more  variables,  with  integer  coefficients,  into  factors  which  are 
irreducible  over  the  integers.  These  algorithms  are  based  on  the  use  of 
Berlekamp's  algorithm  for  factoring  modulo  a  prime  and  "Hensel's  Lemma 
constructions"  as  suggested  by  Zassenhaus  [ZAS69].  A  new  generalization 
of  Hensel's  construction  is  given,  providing  a  practical  basis  for  an 
algorithm  for  factoring  multivariate  polynomials. 

The  algorithm  for  the  univariate  case  has  been  implemented  by 
G.  E.  Collins  and  the  author  in  the  SAC-1  system  for  algebraic  calculation 
[  COL7 1  ]  and  tested  thoroughly.  A  detailed  description  of  this  implementation 
is  given  in  [COL72].  Both  the  univariate  and  multivariate  algorithms  have 
been  implemented  in  the  Pascal  language  at  the  University  of  Texas  by 
R.  T.  Charleton  [  CHA73] . 

Following  a  brief  discussion  of  notation  and  basic  concepts  of  factor¬ 
ization  and  use  of  homomorphic  mappings,  we  shall  define  the  concept  of  an 
abstract  algorithm,  in  order  to  present  concisely  the  common  theory  behind 
the  univariate  and  multivariate  algorithms.  Section  2  gives  an  overview  of 
the  main  steps  in  factorization,  followed  by  detailed  abstract  algorithms 
in  Section  3.  In  Sections  4  and  5  we  consider  the  details  of  applications  of 

^Computer  Sciences  Department  and  Mathematics  Research  Center,  University 
of  Wisconsin;  on  leave  from  University  of  Texas.  This  work  was  sponsored  in 
part  by  the  National  Science  Foundation  under  grants  GJ239,  GJ-30125X  and 
GJ-1069,  by  the  United  States  Army  under  Contract  No.  DA-31 -1 24-ARO-D-462, 
and  by  the  Wisconsin  Alumni  Research  Foundation. 
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the  abstract  algorithms  to  the  univariate  and  multivariate  integral  polynomials. 
Some  consideration  is  given  to  computing  times  in  these  sections. 

1. 1.  Polynomial  notation 

A  polynomial  A{x)  =  a^x11  +  . . .  +  a^x  +  aQ  with  coefficients  a^, . . . , 
a^a^  from  a  ring  R  ,  a^#  0  ,  is  said  to  have  degree  n,  leading  coefficient 
a^  ,  and  trailing  coefficient  (or  constant  term)  a^;  we  write 
deg(A)  =  n  ,  lc(A)  =  an,  tc(A)  =  aQ. 

By  convention,  we  define 

deg(O)  =  -oo,  lc(0)  =  0  ,  tc(0)  =  0  . 

If  R  has  an  identity  1  ,  we  say  A(x)  is  monic  if  lc{A)  =  1. 

1.  2.  Unique  factorization  domains 

In  a  commutative  ring  with  identity,  zero-divisors  are  elements  y  and 
z  such  that  y  •  z  =  0.  A  unit  is  a  divisor  of  unity,  and  a  prime  is  a  nonunit 
element  which  cannot  be  expressed  as  a  product  of  nonunit  elements.  An  inte¬ 
gral  domain  is  a  commutative  ring  with  identity  which  contains  no  zero-divisors. 
A  unique  factorization  domain  (UFD)  is  an  integral  domain  in  which  every  non¬ 
zero  element  is  a  unit,  or  is  prime,  or  has  a  unique  factorization  into  primes 
(an  expression  as  a  product  of  a  finite  number  of  primes  which  is  unique  except 
for  unit  factors  and  the  order  of  factors). 

Primes  are  also  called  irreducible  elements,  and  a  unique  factorization 
into  primes  is  often  called  a  complete  factorization. 

The  integral  domain  Z  of  integers  is  a  UFD  (Fundamental  Theorem  of 
Arithmetic),  in  which  the  only  units  are  1  and  -1.  Any  field  F  is  a  UFD  in 
which  every  nonzero  element  is  a  unit  and  there  are  no  irreducible  elements. 
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According  to  a  theorem  of  Gauss  [VDW49,  §2  3],  the  polynomial  domain 
D[Xj,  ...,x  ]  is  a  UFD  whenever  D  is.  Thus,  for  example,  Z[Xj,...,xn] 
and  F[Xj,...,xn]  are  UFD's. 

1.  3.  Homomorphic  mappings 

A  mapping  h  from  a  ring  R  into  a  ring  R  is  called  a  homomorphism 
if  for  all  a,  b  c  R  , 

(1)  h(a+b)  =  h(a)  +  h(b)  , 

(2)  h(ab)  =  h(a)h(b)  . 

The  application  of  homomorphic  mappings  to  factorization  is  based  on 
the  factor  preserving  property  (2).  The  classical  algorithm  for  factoring  poly¬ 
nomials,  Kronecker's  algorithm  [VDW49,  §25],  is  based  on  the  use  of  evalua- 
tion  homomorphisms.  For  any  fixed  a  €  R,  the  mapping  e_  of  R[x]  onto  R  , 

ck 

defined  by  e  (P)  =  P(a)  for  all  P(x)  c  R[x],  is  homomorphic  and  is  called  an 
d 

evaluation  homomorphism.  To  factor  P(x)  t  Z[x],  for  example,  Kronecker's 
algorithm  evaluates  P(x)  at  several  integers,  factors  the  resulting  values  in 
Z  ,  and  constructs  the  factors  of  P(x)  using  interpolation. 

Another  well-known  application  of  homomorphic  mappings  to  polynomial 
factorization  is  the  use  of  mod  p  factorizations,  where  p  is  a  prime  integer. 
Let  P(x)  «  Z[x]  and  p  be  a  prime  which  does  not  divide  the  leading  coeffi¬ 
cient  of  P  .  Let  hp  denote  the  homomorphism  of  Z  onto  Z^,  the  ring  of 
integers  modulo  p  .  Z^  is  actually  a  field,  so  Z^[x]  is  a  UFD.  If  hp(P) 
turns  out  to  be  Irreducible  over  Z^,  then  P  is  irreducible  over  Z  (except 
possibly  for  integer  factors).  If  hp(P)  does  factor,  then  its  factorization 
gives  an  idea  what  degrees  the  factors  of  P  might  have,  and  what  residue 
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classes  the  coefficients  modulo  p  might  belong  to.  These  facts  have  long 

been  used  in  the  limitec.  >mber  of  cases  in  which  h  (P)  Is  easy  to  factor, 

P 

e.g.  [VDW49,  §25].  More  general  applications  of  mod  p  homomorphisms  have 
become  possible  since  the  invention  in  1967  by  Berlekamp  of  efficient  algorithms 
for  factorization  in  Z^[x]  ([BER68,  Ch.  6],  [KNU69,  §4.6.2]).  A  second  break¬ 
through  was  Zassenhaus'  suggestion  that  a  construction  based  on  Hensel's 
Lemma,  from  the  theory  of  p-adic  fields,  could  be  used  to  progress  from  a 
mod  p  factorization  to  a  corresponding  factorization  modulo  any  power  of  p 
[ZAS69].  Taking  p^  sufficiently  large,  we  can  determine  from  consideration 
of  all  mod  p^  factorizations  all  factorizations  over  the  integers.  This 
"  Berlekamp -Hensel"  factorization  algorithm  has  been  improved  and  extended 
in  a  number  of  ways,  as  discussed  previously  in  [BER70]  and  [MUS71].  [COL7  3], 

Section  5,  gives  an  overview  of  this  research.  The  author's  main  contributions 
have  been  the  detailed  specifications  and  implementation  of  a  univariate  fac¬ 
toring  algorithm,  with  extensive  analysis  of  maximum  computing  times,  and 
generalization  of  Hensel's  construction  to  several  moduli  as  a  basis  for  a  new  > 

multivariate  algorithm.  Wang  and  Rothchild  [WAN73]  use  a  different  generaliza¬ 
tion  of  Hensel's  construction,  but  as  yet  no  comparison  of  the  merits  of  the 
two  constructions  has  been  made. 

1.4.  Abstract  algorithms  and  validity  proofs 

In  this  paper  we  shall  use  "abstract  algorithm"  descriptions  in  order  to 
present  compactly  the  common  theory  behind  factoring  algorithms  for  both  the 
univariate  and  multivariate  cases  and  for  a  number  of  coefficient  domains.  An 
abstract  algorithm  is  one  in  which  the  domains  of  the  inputs  and  outputs  are 


-4- 


#1445 


abstract  sets  or  algebraic  systems  such  as  rings,  integral  domains,  or  fields. 
An  example  of  an  abstract  algorithm  is: 

Algorithm  D  (Division  of  polynomials  over  a  ring).  Let  R  be  a  com¬ 
mutative  ring  with  identity.  Given  polynomials  A,  B  «  R[x]  with  lc(B)  a  unit 
of  ft,  this  algorithm  computes  polynomials  0,  R  «  R[x]  such  that 
A  =  BQ  +  R  and  deg(R)  <  deg(B). 

(1)  Set  Q  —  0  and  R  ♦-  A  . 

(2)  (Now  Q,  R  «  ft[x]  and  A  =  BQ  +  R.  )  If  deg(R)  <  deg(B),  exit. 

(3)  Set  n  *-  deg(R)  -  deg(B),  T  -  (lc(R)/(lc(B))xn,  Q  -  Q  +  T  , 

R  •*-  R  -  TB  (this  reduces  the  degree  of  R),  and  go  to  (2). 

In  dealing  with  abstract  algorithms  we  leave  open  the  question  of  what 
assumptions  are  required  about  the  abstract  domains  involved  in  order  to  prove 
effectiveness  of  the  algorithm.  (Such  questions  have  been  dealt  with  else¬ 
where,  e.  g.  [RAB60],  )  We  shall  however  require  that,  under  the  assumption 
that  each  step  can  be  effectively  performed,  the  algorithm  will  terminate  in  a 
finite  number  of  steps.  A  proof  of  termination  of  Algorithm  D  is  indicated  in 
the  parenthetical  assertion  in  step  (3):  by  the  choice  of  the  term  T  of  the 
quotient  polynomial  Q  ,  both  R  and  TB  have  the  same  leading  coefficient, 
hence  the  new  value  of  R,  Rj  =  R  -  TB,  is  of  smaller  degree  than  that  of  R  , 
and  thus  the  condition  tested  in  step  (2)  must  eventually  be  satisfied. 

If  we  do  not  require  effectiveness  in  our  abstract  algorithms,  the 
reader  may  well  ask,  by  what  criteria  do  we  construct  them?  For  we  could  in 
some  steps  of  our  algorithms  merely  cite  the  existence  of  some  quantity  with¬ 
out  any  indication  of  a  method  of  constructing  the  quantity.  However,  all  of 
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the  algorithms  to  be  presented  have  been  written  with  the  purpose  of  general¬ 
izing  methods  which  are  known  not  just  to  be  effective  in  particular  domains, 
but  to  be  "very  effective"  or  "efficient"  methods.  This  is  meant  in  the  sense 
that  each  step  of  the  abstract  algorithm  is  of  sufficient  simplicity  that  there 
are  known  to  be  efficient  algorithms  for  carrying  it  out  in  at  least  one  particular 
domain.  In  Algorithm  D,  for  example,  each  step  involves  only  simple  arith¬ 
metic  operations  for  wh'ch  efficient  algorithms  are  known  when  R  is  the  ring 
of  integers,  or  the  rational  number  field,  or  a  finite  field. 

Besides  the  proof  of  termination,  we  are  also  interested  in  proving  the 
validity  of  the  algorithm:  that  when  applied  to  inputs  which  satisfy  the  input 
assumptions,  the  algorithm  produces  outputs  which  satisfy  the  output  asser¬ 
tions.  The  method  of  proof  to  be  used  is  based  on  the  method  of  "inductive 
assertions"  described  in  [FL067]  and  [KNU68,  §1.2.1],  The  basic  idea  of  the 
method  is  to  associate  with  some  or  all  of  the  steps  or  substeps  of  the  algo¬ 
rithm  assertions  about  the  current  state  of  the  computation,  and  to  prove  that 
each  assertion  is  true  each  time  control  reaches  the  corresponding  step,  under 
the  assumption  that  the  previously  encountered  assertions  are  true.  If  this  can 
be  done  in  such  a  way  that  the  assertions  associated  with  the  first  step  are  the 
input  assumptions  and  those  associated  with  the  terminal  step(s)  are  the  output 
assertions,  then  the  algorithm  is  necessarily  valid,  by  induction  on  the  number 
of  steps  performed. 

In  applying  the  method  we  have  usually  not  attempted  to  list  all  of  the 
assertions  which  actually  hold  at  each  step;  in  general  we  have  tried  to  main¬ 
tain  about  the  same  degree  of  explicitness  as  is  usual  in  a  conventional  proof 
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of  a  theorem.  In  Algorithm  D,  we  have  included  only  two  assertions,  in  step 
(2),  for  the  purpose  of  proving  validity  (the  assertion  in  step  (3)  was  included 
for  the  sake  of  proving  termination,  as  discussed  previously).  It  is  trivial 
that  these  assertions  are  true  the  first  time  step  (2)  is  executed.  Assuming 
them  true  at  a  given  execution  of  step  (2),  they  may  be  shown  to  be  true  at  the 
next  execution  as  follows:  Let  Qj  =  Q  +  T  and  R^  =  R  -  TB;  since  lc(B)  is 
a  unit,  T  c  ft[x],  hence  so  are  and  R^;  also  BQ^  +  R^  =  B(Q  +  T)  +  R  - 
TB  =  BQ  +  R  =  A;  since  Q  is  set  to  Qj  and  R  to  R^  in  step  (3),  the  asser¬ 
tions  Q,  R  e  R[x]  and  A  =  BQ  +  R  still  hold  when  step  (2)  is  reached  again. 

The  abstract  algorithm  concept  may  be  easily  formalized  in  terms  of 
conventional  set  theory,  and  in  fact  such  a  formalization  is  given  by  Knuth  in 
his  initial  formal  definition  of  algorithms  fKNU68,  pp.  7-8].  (Knuth  goes  on 
to  modify  this  definition  to  include  the  property  of  effectiveness.  )  The  induc¬ 
tive  assertion  method  is  also  easily  formalized  in  terms  of  Knuth' s  model,  as 
shown  in  [MUS71]. 
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2.  Overview. 


In  Section  3,  we  shall  state  the  basic  algorithms  for  factorization  in 
D[x]  where  D  is  any  UFD.  In  Sections  4  and  5  we  consider  separately  the 
cases  that  D  =  Z  and  D  =  Z[Vj,. . .  »vnl*  Assume  we  are  given  a  polynomial 

C(x)  e  D[x]  to  be  factored,  l.e.  we  are  given  a  representation 

.  m  m-1  _ 

C(x)  =  c  x  +  c  ,x  +  . . .  +  c  ,  c  t  D 
m  m-i  o  l 

and  we  must  determine  the  factors  of  C(x)  which  are  irreducible  over  D  . 

The  following  are  the  essential  steps  of  the  overall  algorithm: 

1.  First  eliminate  proper  factors  of  degree  zero  and  repeated  factors 
by  means  of  greatest  common  divisor  calculations  in  D  and  D[x]. 
fThese  steps  are  sufficient  to  satisfy  some  of  the  assumptions  made  in 
later  phases  of  the  algorithm,  particularly  Hensel's  construction.  ) 
Thus  we  have 

C(x)  =  Ft(x) 

where  the  F^  are  distinct  irreducible  polynomials  of  positive  degree, 
and  our  task  is  to  determine  these  F^  . 

2.  Choose  p, ,...,p  in  D  such  that  factorization  in  E[xl  is 
possible,  where  E  =  D/(p^, . . . ,  p^).  (With  D  =  Z,  we  will  have 

m  =  1,  choosing  a  single  prime  integer  p  and  E  will  be  Zp  =  GF(p), 
the  Galois  field  of  order  p.  With  D  =  Z[Vj, . . .  ,  v^]  we  will  have 
m  =  n+1,  choosing  a  prime  p  and  linear  polynomials  Vj-aj,  •  •  • » vn'aM 
as  the  moduli;  again  E  =  GF(p). ) 
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3.  Obtain  a  factorization 

r 

C  *  c  TT  Gk  (mod  p  ,  .  . . ,  Pm) 
k=l 

c  =  lc(C),  Gk  «  D[x] 

not  necessarily  complete,  but  such  that  each  F  corresponds  to  a 

product  of  one  or  more  of  the  Gk;  i.  e.  there  is  a  partition  of 

(G,,...,G)  into  subsets  i',,...,!  such  that 
1  rJ  r  q 

F  H  f .  TT  G  (mod  p  , ...,p  ) 

1  ‘w,  1  m 

f,  =  lc(Ft)  . 

4.  Using  Hensel's  construction,  lift  the  Gk  to  corresponding 
H  t  D[x]  such  that 

k  r  j  j 

c  S  c  TT  Hk  (mod  p^,...  ) 

k=l 

for  sufficiently  large  positive  integers  Jj*  •  •  • ,  • 

5.  Partition  the  H.  into  subsets  V,  such  that 

k  i  j  j 

F  H  f  TT  H  (mod  p.1, ...» P-71) 

1  1  H  «  V  1  m 

thereby  determining  the  F^  . 

In  order  to  simplify  the  presentation,  we  shall  confine  the  discussion 
in  Section  3  to  the  case  of  a  single  modulus  and  defer  generalizations 
to  several  moduli  to  Section  5. 
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3.  Abstract  factoring  algorithms 

3.1.  Reduction  to  a  primitive  polynomial.  If  C(x)  =  cQ  t  D  then  we 
merely  factor  cQ  in  D  ;  we  assume  the  existence  of  an  algorithm 
for  this  factorization.  Otherwise,  we  compute  the  greatest  common 
divisor  d  of  cm,  . . . , c^  (called  the  content  of  C  in  D)  and  divide 
C(x)  by  d,  thereby  obtaining  a  primitive  polynomial  C  (x)  ,  i.e. 
one  whose  coefficients  are  relatively  prime.  Thus  C  (x)  ,  called  the 
primitive  part  of  C(x)  (denoted  pp(C))  has  no  proper  factors  of  degree 
zero,  and  this  property  simplifies  the  task  of  factoring  C  (x)  .  We 
proceed  to  factor  d  and  C  (x)  and  combine  the  two  lists  of  factors 

to  produce  the  list  of  factors  of  C(x)  . 

3.2.  Reduction  to  squarefree  polynomials.  Given  a  primitive  polynomial 
C(x)  over  D  ,  we  proceed  to  factor  it  into  squarefree  polynomials,  i.e. 
having  no  repeated  factors.  Using  greatest  common  divisor  calculations 
we  obtain  a  factorization 

C  =  <3,0*  •••<?',  (1) 

where  0i  is  the  product  of  all  the  irreducible  factors  of  C  with 
multiplicity  i  .  We  then  factor  each  Qi  ,  putting  i  copies  of  each 
factor  on  the  list  of  factors  of  C  . 

The  algorithm  for  producing  the  factorization  (l)  is  based  on 
Theorem  S  below.  For  its  statement  we  require  two  definitions: 

Elements  x  and  y  in  a  ring  D  are  said  to  be  associates  if  x  =  uy 
for  some  unit  u  of  D  .  We  write  x  ~  y  (this  is  an  equivalence  relation). 
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The  characteristic  of  a  ring  D  is  the  smallest  positive  integer  n 


such  that  nx  =■  0  for  all  x  in  D  ,  or  zero  if  no  such  integer  exists. 

(If  D  is  an  integral  domain,  the  characteristic  is  prime  if  it  is  not  zero.) 

Theorem  S  .  Let  D  be  a  UFD,  C  be  a  nonconstant,  primitive 

polynomial  over  D,  and  B  =  gcd(C,  C‘)  where  C*  denotes  the 

®1  ®n 

derivative  of  C  .  Let  C  =  P,  •  •  •  P  n  be  a  complete  factorization  of  C  . 

1  n 

a.  If  deg(B)  =  0  then  C  is  squarefree. 

e  -1  en~l 

b.  If  D  has  characteristic  zero,  then  B  ~  P,  •  •  •  P 

*  1  n 

c.  If  D  has  characteristic  zero  and  C  is  squarefree,  then  B  ~  1  . 

d.  If  D  has  characteristic  zero,  then  C/B  ~  P  •  •  •  P  ,  the 

’  1  n  ’ 

greatest  squarefree  divisor  of  C  . 

2 

Proof:  a.  Suppose  C  is  not  squarefree;  thus  C  =  P  0  for  some 
P  and  Q  over  D,  deg(P)  >  0  .  Then  C'  =  P2Q'  +  2PP'Q  is  a  multiple 
of  P,  hence  P  | B  ,  hence  deg(B)  >  0  .  Thus  deg(B)  =  0  implies 
C  is  squarefree. 

61  ln 

b.  Since  B  I C,  B  ~  P,  •  •  •  P  ,  where  0  <  6  <  e.,  1  <  i  <  n  . 

>  1  n  ’  —  i  —  i  —  — 

To  show  that  =  e  -  1,  let  P  =  P^,  e  =  e^  and  Q  =  C/P6  .  Then 
C  =  PeQ  and  C'  =  PeQ'  +  ePe_1P'Q,  hence  P6"1  |b  .  Suppose  Pe  |b  . 
Then  Pe|c'  ,  hence  Pe|ePS  *P'Q  ,  and  since  D  is  an  integral 
domain,  PleP'Q  .  Rut  P  and  Q  are  relatively  prime,  so  p|eP'  . 

Since  the  characteristic  of  D  is  zero,  eP'  *  0  ,  hence  deg(eP')  >  deg(P)  , 
a  contradiction.  Thus  PefB  ,  while  Pe  Mb  ,  so  6^  =  e  -  1  =  e^  -  1  . 

c, d.  Obvious  from  b  . 
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Thus  to  factor  C  one  could  compute  the  greatest  squarefree 

divisor  A  =  C/gcd(C,  C')  and  factor  it  to  obtain  the  ,  then  divide 

C  by  P  as  many  times  as  possible,  to  determine  the  e^  .  However, 

we  can  do  better  than  this  if  C  is  not  already  squarefree,  for  we  will 

show  that  we  can  then  partially  factor  A  and  determine  the  ei  by 

means  of  further  gcd  calculations. 

Let  0  =  TT  P,  ,  where  E  =  {j :e  =  i}  .  (Q  =  1  when 
j  <  Ei  }  1 

is  empty. )  Then,  for  t  =  maxfej ,  . . . ,  e^ }  we  have 

C  =  QfQ^  •••  q|,  Qj  squarefree, 

deg(Qt)  >  0,  gcd(Oi,Qj)  ~  1  for  i  *  j  .  (2) 

We  call  (2)  a  squarefree  factorization  of  C  ,  since  each  Is  either 
unity  or  a  squarefree  polynomial  of  positive  degree.  The  Q  are  uniquely 
determined  by  the  conditions  in  (2),  except  for  unit  factors. 

By  Theorem  S  ,  if  B  =  gcd(C,  C1)  and  A  =  C/B  then 
B  ~  02023  •  •  •  qJ  1  and  A  ~  QjQ2  *  *  *  •  If  D  =  gcd(A,  B)  then 

D  ~  Q  Q  •  •  •  Q  ,  hence  Q  ~  A/D  .  The  following  algorithm  shows 

“  -5  L  1 

how  we  can  continue,  computing  Q  , . . . ,  Q  : 

Ct  l 

Algorithm  S  (Squarefree  factorization).  Let  D  be  a  UFD  of 

characteristic  zero.  Given  a  primitive  polynomial  C  of  positive  degree, 

2  t 

let  C  =  Q  Q  *  "  Q  be  a  squarefree  factorization  of  C  .  This 
12  t 

algorithm  computes  t  and  A^  ~  Oj,.-.,At~  . 
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(l)  Set  B  *-  gcd(C,  C'),  A  ■*-  C/B,  j  *•  1  . 


(2)  (At  this  point  B~  Qj  +  1Qj+2 


Q*  j  and  A  ~  Q,Q,  +  1  *  *  *  Qt) 


(3) 


(4) 


If  B  ~  1  then  set  t  *-  j,  A^  *-  A  ,  and  exit. 

Set  D  *-  gcd(A,  B),  A^  •*-  A/D.  (Then  D  ~  Q.  +  jQj+2 

and  A.  ~  Q.  .) 

J  J 


Set  B  *-  B/D,  A  D,  j  j+1  ,  and  go  to  (2). 

The  reader  may  easily  verify  the  inductive  assertions  in  the  algorithm. 

Algorithm  S  is  based  on  an  algorithm  presented  by  Horowitz  in 
[  HOR69,  pp.  58-60,  69-70],  which  in  turn  was  based  on  an  algorithm 
due  to  Robert  Tobey.  Horowitz'  version  is  equivalent  to  Algorithm  S  with 
steps  (3)  and  (4)  replaced  by: 

(3')  Set  E  -  gcd(B,  B'),  D  *-  B/E,  A  -  A/D  .  (Then 

(41)  Set  B  E,  A  ♦*  D,  j  ♦-  j  +  l,  and  go  to  (2). 

Note  that  D  and  E  =  B/D  are  computed  in  both  versions,  but 
in  different  ways.  Algorithm  S  appears  to  require  slightly  less  computation 
than  Horowitz'  version,  but  its  main  virtue  seems  to  be  that  it  can  be 
easily  adapted  for  squarefree  factorization  over  finite  fields  (which  are 
of  prime  rather  than  zero  characteristic),  whereas  it  appears  to  be  rather 
difficult  to  adapt  Horowitz'  version  for  this  problem.  Algorithms  for  the 
finite  field  case  are  discussed  in  [  MUS71].  These  algorithms  are, 
however,  not  necessary  in  the  application  to  factoring  integral  polynomials, 
as  will  be  seen  in  the  following  section. 
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3.3.  Choice  of  modulus.  Now  assume  C(x)  is  primitive  and  squarefree. 


We  next  choose  a  modulus  p  such  that  factorization  in  E[x]  is 
possible,  where  E  =  D/(p)  .  We  shall  see  in  Section  3.7  that  in 
order  to  apply  the  Hensel  construction  to  lift  a  given  factorization 

C  =  AB(mod  p)  (1 ) 

to  a  corresponding  factorization 

C  =  A  B(mod  pJ) 

it  is  necessary  to  also  have  S,  T  such  that 

AS  +  B  T  =  l(mod  p)  .  (2) 

Sufficient  conditions  for  the  existence  of  S,  T  are  that  E  be  a  field 
and  A  and  B  be  relatively  prime  over  E  ,  for  then  the  Extended 
Euclidean  Algorithm  yields  S  and  T  .  Let  us  assume  that  we  can  find 
p  such  that  E  is  a  field  and  C  has  the  same  degree  and  remains 
squarefree  mod  p  (i.e.  when  regarded  as  a  polynomial  over  E).  Then, 
in  (l),  A  and  B  must  be  relatively  prime,  and  thus  (2)  is  satisfiable. 

As  we  saw  in  Theorem  S,  Dart  a,  if  we  compute  B  =  gcd(C,C')  in  E[x] 
and  find  deg(B)  =0then  this  guarantees  that  C  is  squarefree  in  E[x]  . 

In  the  case  D  =  Z  ,  we  choose  a  prime  integer  p  ,  obtaining 
E  =  GF(p)  ,  the  Galois  field  of  order  p  .  We  shall  see  in  Section  4.  l 
that  there  are  only  a  finite  number  of  primes  p  for  which  C  can  fail 
to  be  squarefree  mod  p  .  There  are  a  number  of  other  considerations 
in  the  choice  of  primes  in  Z  as  we  shall  discuss  in  Section  4.  l . 
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3.4.  Factorization  mod  p.  Since  we  have  chosen  p  so  that  E  is  a  field, 


E[x]  is  a  UFD.  We  assume  the  existence  of  an  algorithm  for  factoring 
in  E[x]  ,  but  not  necessarily  one  which  obtains  the  complete  factoriza¬ 
tion  of  C  mod  p  .  A  partial  factorization 

r 

C  s  g  77  G.  (mod  p)  (1) 

k=l 

will  suffice,  provided  the  are  distinct  and  there  exists  a  partition 

of  the  G^  into  subsets  corresponding  to  the  irreducible  factors  F^ 
of  C  ,  as  described  in  Section  2,  step  3.  Ideally,  we  would  like  to 
find  the  factorization  in  which  each  G^  is  the  image  of  some  Fi  ,  but 
generally  there  is  no  a  priori  way  of  satisfying  the  partition  requirement 
other  than  obtaining  the  complete  factorization  in  E[x]  .  We  shall  see, 
however,  in  Section  5  a  very  important  case  in  which  it  can  be  satisfied 
with  a  partial  factorization. 

Since  E  is  a  field,  it  is  convenient  to  assume  the  G.  are  monic. 
Then  g  =  lc(C)(mod  p)  . 

Of  course,  if  we  find  that  r  =  1  then  since  C(x)  has  the  same  degree 
modulo  p  ,  it  must  be  irreducible  over  D  ,  and  we  are  done.  Other¬ 
wise  we  have  to  continue  with  the  following  steps. 

3.  5.  Determining  modulus  size.  In  choosing  our  modulus  p  ,  we  gave 
no  consideration  in  Section  3.3 to  its  "size."  If  D  =  Z  and  p  is 
sufficiently  large,  then  the  set  {-  l_p/2J  ,  . . . ,  0, . .  . ,  Lp/2J  }  of 
residues  of  p  contains  the  coefficients  of  any  factor  of  C  ,  and  we 
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could  proceed  directly  to  determine  the  true  factors  of  C  using  the 
mod  p  factorization.  For  large  p,  however,  it  may  be  very  difficult 
to  obtain  the  mod  p  factorization  (this  point  is  discussed  further  in 
Section  4.1).  Hensel's  construction  provides  the  alternative  of  using 
a  small  prime  p  and  lifting  a  mod  p  factorization  to  a  mod  p^ 
factorization  for  sufficiently  large  j  . 

In  the  case  of  an  abstract  domain  D  ,  our  assumption  at  this 
point  is  that  we  can  algorithmically  determine  a  positive  integer  j  and 
a  complete  set  of  residues  R  of  p^  ,  such  that  R  is  a  factoring 
set  for  C  .  In  general,  we  define  a  factoring  set  for  C  to  be  any  subset 

>Jc 

of  D  which  contains  the  coefficients  of  any  factor  A  of 
C  =  lc(C)*  C  for  which  deg(A  )  <  |_deg(C)/2J  and  lc(A  )  I  lc(C)  . 
These  requirements  may  seem  odd,  but  will  become  clear  when  we  examine 
the  operation  of  the  algorithm  for  finding  true  factors,  in  Section  3.8. 

3.6.  Lifting  a  factorization  (Hensel’s  construction  for  several  factors). 

At  this  point  we  have  a  primitive,  squarefree  polynomial  Ct  D[x],  pi  D 
such  that  E  =  D/(p)  is  a  field  and  C  has  the  same  degree  and  is 
squarefree  mod  p,  a  positive  integer  j  and  monic  polynomials 
G  ,  . . . ,  c  D[x](r>2)  such  that 

C  =  lc(C)Gj  •  •  •  Gr(mod  p)  . 
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The  goal  now  is  to  lift  this  factorization  to  a  corresponding  one 
mod  pJ  ,  i.  e. 


C  £  ic(C)H 


1 


Hr(mod  pJ) 


=  G,(mod  p) 


deg(Hi)  =  deg(G,)  >  i  =  lf . .  .,r 


H.  is  monic 
1 


This  is  done  by  repeated  application  of  Hensel's  construction  to  pairs 


of  factors  in  which  one  factor  is  G,  and  the  other  is  G, 

1  l  +  l 

1 .  Set  C  *-  C  mod  p,  i  *-  1  . 

2.  (Now  we  have 


G  . 
r 


a.  CQ  =  CH^  •  •  •  Hj  ^(mod  pJ)  where  CQ  was  the 
initial  value  of  C  ; 

b‘  Hk  E  Gk(m°d  P),  deg(Hk)  =  deg(Gk),  and  Hk  is 
monic  for  k  =  1,  . . . ,  i  -  l; 

c.  C  =  C  s  IcICJGjG^j  •  •  •  Gr(mod  p); 

d.  C  is  squarefree  mod  p.) 

Set  A  «-  G.,  B  *-  C/A  (division  mod  p).  (Thus  C  =  AB(mod  p), 
A  is  monic,  and  A  and  B  are  relatively  prime  mod  p  , 
by  d. ) 

3.  Using  the  Extended  Euclidean  Algorithm,  obtain  S,  T  t  D[x] 
such  that  A  S  +  B  T  =  1  (mod  p) . 

4.  Apply  Algorithm  Q  (Hensel's  construction,  as  described  in 
Section  3.7)  to  p,  j,  C,  A,  B,  S,  T,  obtaining  A,  B,  S,  T  t  D[x] 
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such  that 

C  =  AB(mod  p^) 

A  =  A(mod  p) 

B  =  B(mod  p) 
deg(A)  =  deg(A) 

A  is  monic  . 

5.  Set  Hj  *-  A,  C  »-  B,  C  *-  B,  i  *-  i  +  1  .  If  i  <  r  ,  go  to 
step  2.  Otherwise,  exit. 

3.7.  Quadratic  Hensel  construction.  This  "quadratic"  construction,  so- 

2  4  8 

called  because  it  progresses  through  factorizations  modulo  p,  p  ,  p  ,  p  ,  . . . 
in  successive  iterations,  will  be  given  in  essentially  the  form  discussed 
by  Knuth  [  KNU69,  pp.  398,  546].  This  version  differs  somewhat  from 
the  construction  proposed  by  Zassenhaus  [  ZAS69],  although  the  latter 
is  also  quadratic  in  nature.  (Hensel's  original  construction,  in  the 
theory  of  p-adic  fields,  was  linear  [  VDW  49,  pp.  248-250].) 

Algorithm  Q  (Quadratic  Hensel  Algorithm).  Let  D  be  a  commuta¬ 
tive  ring  with  identity.  The  inputs  are  an  element  p  of  D;  a 
positive  integer  j;  and  polynomials  C,A,B,  S,T  <  D[x]  such  that 
C  =  AB(mod  p),  AS  f  BT  =  l(mod  p),  A  is  monic. 

The  outputs  are  q  =  p*  where  i  >  j  and  A,  B,  S,  T  £  D[x]  satisfying 
C  =  AB(mod  q),  AS  +  BT  =  l(mod  q)  > 

A  =  A,  B  =  B,  S  =  S,  T  =  T(mod  p),  \  (l) 

deg(A)  =  deg(A)  and  A  is  monic. 
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1 .  Set  i  -  1,  q  -  p,  A  -  A,  B  *-  B,  S  -  S,  T  —  T  . 

2.  (Now  q  =  pl;  A,  B,  S,  T  «  D[x]  and  the  conditions  (l)  are 
satisfied.)  If  i>j  ,  exit. 

3.  Set  U  —  (C  -  AB)/q  .  (Since  C  =  AB(mod  q)  we  know 

U  c  D[x]  .)  Using  Algorithm  S,  which  is  described  below, 

with  inputs  A,  B,  S,  T,  U,  solve  the  congruence  AY  +  BZ  =  U(mod  q) 

for  Y,Z  £  D[x]  such  that  deg(Z)  <  deg(A)  . 

4.  Set  A  -  A  +  qZ,  B  -  B  +  qY  .  (Thus 

C  -  A*B*  =  C  -  AB  -  q(AY  +  BZ)  -  q2YZ 

=  q(U  -  AY  -  BZ)  -  q2YZ 
2 

=  0(mod  q  )  ; 


>;<  _  sj«  - 

furthermore  A  =  A  =  A(mod  p)  and  B  =  B  =  B(mod  p);  and, 

— 

since  deg(Z)  <  deg(A),  deg(A  )  =  deg(A)  =  deg(A)  and 
lc(A  )  =  lc(A),  so  A  is  monic.) 

5.  Set  Uj  —  (A*S  +  B  T  -l)/q  .  Using  Algorithm  S  with  inputs 
A,  B,  S,  T,  Uj  ,  solve  the  congruence  AY^  f  BZj  =  U^mod  q) 
for  Y^Z^  t  D[x]  such  that  deg(Z^)  <  deg(A)  . 

6.  Set  S  '  S  -  qYj,  T *  *-  T  -  qZ^  .  (Thus 

*  *  *  *  *  ,  #  , 

AS  +  B  T  =  A  (S  -  qY  )  f  B  (T  -  qZ{) 

=  A*S  +  b’t  -  q(A*Yt  +  B*Z{) 

=  1  +  q(Ut  -  A*Yj  -  B*ZJ) 

=  1  +  q(Ut  -  AYl  -  BZ^)(mod  q2) 

2 

=  l(mod  q  ). ) 
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2  ^  ^ 

7.  Replace  i,q,A,  B,  S,  T  by  2i,q  ,A,B,S,T  and  go  to  step  2. 

Note  that  we  did  not  need  to  assume  D  was  a  UFD,  but  only  a 
commutative  ring  with  identity.  The  algorithm  of  Section  3.6  also 
works  under  this  weaker  assumption.  In  Section  5  we  shall  see  applica¬ 
tions  of  these  algorithms  when  D  is  commutative  with  identity  but 
fails  to  be  an  integral  domain. 

Algorithm  S  (Solution  of  a  polynomial  equation).  Let  E  be  a 
commutative  ring  with  identity.  Given  A,  B,  S,  T,  U  «  E[x]  such  that 
lc(A)  is  a  unit  of  E  and  AS  +  BT  =  1,  this  algorithm  computes 
Y,Z  t  E[x]  such  that  AY  +  BZ  =  U  ana  deg(Z)  <  deg(A)  . 

1 .  Set  V  —  TU  . 

2.  Using  Algorithm  D  of  Section  1.4,  compute  Q,  Z  «  E[x]  such 
that  V  =  AQ  f  Z,  deg(Z)  <  deg(A)  . 

3.  Set  Y  -  SU  +  BQ  and  exit.  (Then  AY  +  BZ  =  A(SU  +  BQ)  + 

B(TU  -  AQ)  =  (AS  +  BT)U  =  U)  . 

In  Section  3.9  we  shall  prove  two  theorems  concerning  the  uniqueness 
of  the  outputs  of  Algorithms  S  and  Q. 

3.8.  Finding  true  factors.  Having  obtained  the  mod  m  =  pJ  factors 
Hj,  . . . ,  of  C  from  the  algorithm  of  Section  3.6,  we  must  now  consider 
each  combination  of  these  factors,  testing  by  trial  division  whether  its 
modulo  m  product  is  a  true  factor.  Since  we  do  not  know  the  leading 
coefficient  of  the  factor,  it  is  necessary  to  form  the  factor  with  leading 


-20- 


#1445 


coefficient  c  =  lc(C)  and  attempt  to  divide  it  into  C  =  c  •  C.  If 

*  *  * 

this  division  successfully  yields  a  factor  A  of  C  then  pp(A  )  is 
a  factor  of  C  .  Only  those  combinations  with  deg(A  )  <  [_deg(C)/2J 
need  be  considered.  From  these  considerations  we  can  now  see  the 
motivation  for  the  definition  given  in  Section  3.  5  of  a  "factoring  set"  R 

;Jc 

for  C  :  a  set  which  contains  the  coefficients  of  any  factor  A  of  C 
for  which  deg{A  )  <  l_deg(C)/2J  and  lc(A  )|c  . 

Algorithm  T  (Finding  true  factors  by  combining  modulo  m  factors). 
Let  D  be  a  UFD,  m  be  an  element  of  D  and  R  be  a  complete  set 
of  residues  of  m  in  D  .  Given  a  primitive  polynomial  C  t  D[x] 
and  a  list  of  monic  polynomials  H  ,  . . . ,  «  D[  x]  ,  such  that 

C  £  lc(C)H  •  •  •  H.(mod  m) 

this  algorithm  obtains  irreducible  F^,  .  .  .,  F^  t  D[x]  comprising  the 
complete  factorization  of  C: 

C  =  F  •  •  •  F  . 

1  q 

The  following  conditions  are  assumed  to  be  satisfied. 

a.  R  is  a  factoring  set  for  C  . 

b.  For  each  factor  F^  there  is  an  index  set  c  {l, . .  .  t  r} 
such  that 

F,  =  lc(F,  )  TT  H.(mod  m)  . 

K  K  .  T  1 
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Remark:  In  Section  3.9  we  shall  show  that  the  mod  m  =  pJ 
factors  H  f  . . . ,  produced  by  the  algorithm  of  Section  3.  6  satisfy 
assumption  b. 

1 .  Set  q  —  1,  d  -  1.  (d  will  run  through  tne  integers 
If  2, ,  Ldeg{C)/2j)  . 

2.  Set  c  —  lc(C),  C  *-  c-  C  . 

3.  (Now  we  have  a,  b  and 

c.  CQ  =  C  F^(mod  m)  where  =  initial  value 
of  C  ; 

d.  Fj , . . . ,  j  are  irreducible  ; 

e.  c  =  lc(C),  C*  =  cC  ; 

f.  C  has  no  factor  B  such  that  0  <  deg(B)  <  d.) 


If  d  >  |deg(C)/2J  ,  set  F  -  C  and  exit. 

4.  For  each  IC  {l . r}  such  that  ^  deg(F  J  =  d: 

i  c  I  1 

*  -T-T 

a.  Set  A  -  c  I  |  H  mod  m  ,  with  coefficients  in  R  . 

id  1 

* ,  >:•-  *  *  * 

b.  If  A  |C  ,  set  B  •*-  C  /A  and  go  to  step  6. 


5.  Set  d  *•  d  f  I  and  go  to  step  3  . 

5»  A 

6.  Set  A  *■  pp(A  ),  *-  A,  q  •*-  q  +  1,  C  -  B  /lc(A)  ,  and 

delete  from  H  , . . . ,  those  with  i  «  I  (this  changes 
r)  • 


f 
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3.9.  Correctness  of  the  overall  algorithm.  To  establish  the  correct¬ 
ness  of  the  overall  algorithm  we  have  to  prove  that  the  modulo  m  =  pJ 
factorization  obtained  by  the  algorithm  of  Section  3.  6  satisfies  the 
input  assumption  b  of  Algorithm  3.8T,  namely  that  to  each  true  factor 

F,  of  C  there  is  some  corresponding  set  of  factors  HJ  in  the 
k  i 

modulo  m  factorization. 

To  this  end  we  first  prove: 

Theorem  S.  Under  the  assumptions  of  Algorithm  3.7S,  the  poly¬ 
nomials  Y  and  Z  are  uniquely  determined. 

Proof:  Let  AY^  +  BZ^  =  U  with  deg(Zj)  <  deg(A).  Then 
AY^  +  BZj  =  AY  +  BZ,  which  may  be  written 

A(Yl  -  Y)  =  B(Z  -  Zj). 

Upon  multiplying  both  sides  by  T  and  adding  AS(Z  -  Z^)  to  both 
sides,  we  obtain 

A[S(Z  -  Z  )  +  T(Y  -  Y)]  =  (AS  +  BT)(Z  -  Z  )  =  Z  -  Z  . 

Unless  the  polynomial  in  brackets  is  zero,  the  degree  of  the  product  on 

the  left  side  is  >  deg(A),  since  lc(A)  is  a  unit.  But 
deg(Z  -  Z^)  <  deg(A),  so  we  conclude  that  Z  =  Z^  and  by  (l)  we  then 

have  A(YJ  -  Y)  =  0,  which,  with  the  fact  that  lc(A)  is  a  unit, 

implies  Y^  =  Y. 

The  following  theorem  concerns  the  uniqueness  of  the  polynomials 
computed  by  Algorithm  3.7Q: 


(1) 
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Theorem  Q.  Let  D  be  a  commutative  ring  with  identity,  p  be 


an  element  of  D  which  is  not  a  zero-divisor,  and  j  be  a  positive 
integer.  Let  A,  B,  A^ ,  ,  S,  T  £  D[x]  satisfy 

a.  A^  =  AB(mod  p^) 

b.  deg(A1)  =  deg(A),  lc(Aj)  =  lc(A)  =  1; 

c.  A^  =  A  and  Bj  =  B(mod  p); 

d.  AS  +  BT  =  l(mod  p). 

Then  Aj  =  A  and  B^  =  B(mod  pV 

Proof:  From  c  we  have  the  conclusion  when  j  =  1 .  Let  j  >  1 . 
From  a,  we  have  A^B^  =  AB{mod  p^  1),  so  we  may  assume  by  induction 
that  Aj  =  A  and  B^  =  B(mod  p^  *).  Hence  there  exist  Y,  Z  c  D[x] 
such  that  A^  =  A  +  p^  1 Z,  B^  =  B  +  p^  1Y.  Thus 

A  B  =  AB  +  pj_1(AY  +  BZ)  +  p2J_2YZ, 

0  =  pj_1(AY  +  BZ)(mod  pj). 

From  this  congruence  and  the  assumption  that  p  is  not  a  zero-divisor 
follows 

AY  +  BZ  =  0(mod  p). 

Also,  by  b  we  have  deg(Z)  <  deg(A).  Hence  by  Theorem  S  applied  to 
the  ring  D/(p)  we  have  Y  =  Z  =  0(mod  p),  from  which  we  obtain 
the  conclusion  of  the  theorem. 

We  are  now  prepared  to  prove: 

Theorem  T.  Let  D  be  a  UFD  and  p  be  an  element  cf  D  for 
which  D/(p)  is  a  field.  Let  C  £  D[x]  for  which  p-flc(C)  and  C 
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is  squarefree  mod  p.  Suppose  C  has  the  factorizations 

C  =  F,  distinct,  irreducible; 

1  q  i 

C  2  cG1  •  •  •  Gr(mod  p) 

C  2  cH1  •  •  ■  Hr(mod  p^) 
c  =  lc(C);  G^,  Hj  monic; 

Hi  2  Gj(mod  p); 

and  that  { l ,  . . . ,  r }  is  the  disjoint  union  of  index  sets  ^,...,1 
such  that 

Fk  E  TT  G^mod  p) 

1<Jk 

fk  ■  lc<Fk>  ' 

Then  also 

Fk  2  f^  TT  H^mod  pj)  . 

14  \ 

Proof:  Since  p  4lc(C),  also  p  If^  and  f  1  exists  mod  p. 
It  is  easy  to  show  that  f^1  exists  mod  m  =  also.  Put 

A  2  fk1Fk(mod  m)  , 

B  2  C/A(mod  n)  , 

A  2  TT  H  (mod  m)  , 

1(Ik 

B  2  c  71  H  (mod  m)  ,  I  =  {l,  . . . , r}  . 

1  i  €  I  - 1 

K 
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Then  we  have 


a.  A1B1  s  AB(mod  m) 

b.  degiAj)  =  deg(A),  lc(k^)  =  lc(A)  =  1 

c.  Aj  =  A  and  =  B(mod  p) . 

d.  Since  C  is  squarefree  mod  p,  A  and  B  are  relatively 
prime  mod  p  and  there  exist  S,  T  such  that 

AS  +  B T  =  l(mod  p). 

Therefore,  by  Theorem  0,  A^  =  A  and  B^  =  B(mod  m)  and  therefore 

Fk  =  TT  H^mod  m)  , 

as  was  to  be  shown. 
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4.  Application  to  univariate  polynomials  over  the  integers 


To  obtain  algorithms  for  factoring  univariate  polynomials  over  the 
integers,  we  take  D  =  Z  and  choose  a  prime  integer  p  as  the  modulus, 
so  that  the  mod  p  factorizations  are  factorizations  of  polynomials  over 
E  =  Z/(p)  =  GF(p)  the  Galois  field  of  order  p.  GF(p),  and  more 
generally,  Z/(m)  with  m  =  pi  is  conveniently  represented  by  the 
integers  0,  l,  2, . .  . ,  m-l,  with  arithmetic  performed  modulo  m.  The 
"symmetric  residues"  -  [m/2 J,  . . . ,  0,  . . .  |_m/2J  (m  odd)  could  also 
be  used.  Division  of  a  by  b  ,  with  b  relatively  prime  to  m  , 
can  be  performed  using  the  Extended  Euclidean  algorithm  to  compute 
multipliers  s,t  such  that  bs  +•  mt  =  1,  so  that  bs  =  1  (mod  m)  and 
as  =  a/b  (mod  m).  Arithmetic  modulo  m  is  discussed  further  in 
[KNU69,  §4.6.  1 J  and  [COL69]. 

4.1.  Choice  of  a  prime.  The  first  consideration  in  the  choice  of  a 
prime  p  is  that  the  squarefree  polynomial  C(x)  must  remain  squarefree 
modulo  p.  Since  C  is  squarefree,  the  discriminant  of  C,  discr(C), 
is  a  non-zero  integer.  Let  C  =  C  mod  p.  If  p  does  not  divide  lc(C) 
then  discr(C)  =  discr(C)  mod  p,  so  if  p  is  not  a  divisor  of  discr(C) 
then  discr(C)  #  0  and  C  is  squarefree.  Hence  C  mod  p  is  squarefree 
for  all  but  a  finite  number  of  primes;  and  in  fact,  for  a  given  p,  C  mod  p 
is  squarefree  with  probability  1-1/p  [KNU69,  Ex.  4.  6.  2-2).  We 

can  efficiently  test  whether  C  is  squarefree  by  testing  whether 
gcd(C,  C')  =  1  in  GF(p)[x],  where  C'  is  the  derivative  of  C  . 
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The  size  of  primes  used  is  an  important  factor  in  the  choice  of 

an  algorithm  for  factoring  over  GF(p).  Trying  large  primes  would  reduce 

the  chances  of  encountering  primes  for  which  C  mod  p  has  repeated 

factors,  and  would  also  reduce  the  number  of  Hensel's  construction 

iterations  required  to  make  pJ  sufficiently  large.  However,  Berlekamp's 

1967  algorithm  for  complete  factorization  over  GF(p)  is  efficient  only 

for  small  primes.  The  algorithm  has  two  phases.  In  the  first  phase  the 

number,  r,  of  irreducible  monic  factors  of  the  input  C  is  determined. 

If  r  >  1,  the  second  phase  is  performed  to  determine  the  actual  factors. 

3  2  2  3 

The  computing  time  for  the  first  phase  is  dominated  by  n  (log  p)  +  n  (log  p)  , 

2  2 

where  n  =  deg(C)  and  the  time  for  the  second  phase  by  n  rp(log  p)  . 
[KNU69,  §4.6.2]. 

A  newer  algorithm  devised  by  Berlekamp  [  BER70]  is  more  efficient 
for  large  primes,  at  least  in  terms  of  average  computing  time.  This 
algorithm  has  an  average  time  dominated  by  a  polynomial  function  of  n 
and  log  p  but  the  maximum  computing  time  may  be  codominant  with 
n3p(log  p)3. 

By  contrast,  the  maximum  time  for  the  quadratic  Hensel  construction 

to  lift  a  mod  p  factorization  to  a  mod  m  =  p^  factorization  is  dominated  by 
2  2 

n  (log  m)  +  n(log  m)log  c  ,  where  c  is  the  maximum  size  of  coefficients 
of  C  [MUS71].  Thus  use  of  Berlekamp's  original  algorithm  with  a 
small  prime  p  followed  by  Hensel's  construction  is  probably  much 
more  efficient  than  to  use  Berlekamp's  newer  algorithm  with  a  large  prime. 
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Another  consideration  is  that  the  newer  algorithm  is  considerably  more 
complex  than  the  earlier  algorithm. 

The  third  major  consideration  in  the  choice  of  a  prime  p  ir.  the 

number  r  of  factors  in  the  complete  mod  p  factorization.  If  C  is 

irreducible,  but  splits  into  r  >  1  irreducible  factors  mod  p,  then  r 

factors  are  also  obtained  mod  m  =  p^  and  a  total  of  2r  1  subsets 

of  factors  are  considered  in  Algorithm  3.  8  i  .  The  time  for  all  other  phases 

of  the  overall  algorithm  is  dominated  by  a  polynomial  function  of  n  and 

log  c  (this  is  shown  in  [  MUS7  1  ]),  but  since  r  can  be  as  large  as  n  , 

the  time  for  Algorithm  3.8T  can  be  an  exponential  function  of  n.  The 

average  time  for  randomly  chosen  inputs  C  (which  are  almost  always 

irreducible  [  KNU69,  Ex.  4.6.2-27]),  is  a  polynomial  function  of  n 

and  log  c,  since  it  can  be  shown  that  the  average  value  of  r  is 

about  log  n  and  the  average  value  of  2r  1  is  about  (n+l)/2.  How- 

r-  ]  3 

ever,  the  variance  of  2  is  quite  large,  about  (n  -n)/24,  causing 
a  large  variance  in  the  overall  computing  time. 

In  order  to  reduce  this  variance  one  can  factor  modulo  several 
small  primes  for  which  C  mod  p  is  squarefree  and  choose  a  p  which 
yields  the  smallest  number  of  irreducible  factors.  Unfortunately,  no 
matter  how  many  primes  are  used,  the  maximum  computing  time  will 
still  be  exponential  in  n:  H.  P.F.  Swtnnerton-Dyer  has  shown  (see 
[  BER70])  that  for  any  n  which  is  a  power  of  2,  there  is  an  irreducible 
integral  polynomial  of  degree  n  which  has  at  least  n/2  irreducible 
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factors  modulo  p  for  every  prime  p.  By  considering  the  size  of  the 

coefficients  of  these  polynomials,  the  author  has  established  that  the 

computing  time  of  any  Berlekamp-Hensel  algorithm  for  factoring  integral 

polynomials  cannot  be  dominated  by  a  polynomial  function  of  n  and 

log  c.  The  same  result  can  also  be  established  using  a  certain  class 

2 

of  cyclotomic  polynomials  which  have  more  than  (log  n)  factors  for 
every  prime. 

Finding  an  algorithm  for  factoring  integral  polynomials  with  a 
polynomial  dominated  maximum  computing  time  (or  proving  no  such 
algorithm  can  exist)  is  a  very  interesting  open  problem.  Nevertheless, 
it  may  not  be  a  problem  of  great  practical  importance  since  the  average 
time  of  the  Berlekamp-Hensel  algorithm  is  polynomial  dominated. 

There  are  other  advantages  to  be  gained  from  performing  factoriza¬ 
tions  modulo  several  different  primes.  By  considering  the  possible 
degrees  of  factors  in  these  factorizations,  we  obtain  important  information 
about  the  degrees  of  true  factois.  if  C  has  r  irreducible  mod  p 
factors,  then  in  a  time  dominated  by  m  we  can  compute  the  degree 

set  D  ,  the  set  of  degrees  of  all  mod  p  factors.  Since  the  chosen 
P 

primes  do  not  divide  lc(C),  the  degree  set  of  C  must  be  contained 

in  D  for  any  prime  p  and  therefore  must  be  contained  in 
P 

D  fl  D  0  n  D  ,  where  p,,p_,...,p  are  the  primes  tried. 

P,  P,  P  l  Z  v 

1  Z  v 

In  general,  this  set  can  be  used  to  eliminate  many  of  the  cases  that 
would  otherwise  have  to  be  considered  in  Algorithm  3.8T;  and  in 
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particular,  when  C  is  irreducible,  we  will  often  find 

D  f|  D  0  •••  =  {0,  n}  after  only  a  few  primes  have  been  tried, 

P1  P2 

thus  proving  Irreducibility  of  C  without  having  to  use  the  Hensel 
construction  or  Algorithm  3.8T  at  all.  The  author  has  verified,  by 
empirical  tests,  simulations  and  theoretical  analysis,  that  the  average 
number  of  primes  which  must  be  tried  before  proving  irreducibility  is 
less  than  5  for  all  n  <  200. 

This  "degree  testing  algorithm"  is  a  much  more  efficient  means 

of  proving  irreducibility  than  merely  searching  for  a  prime  p  for  which 

C  is  irreducible  mod  p.  For  the  probability  that  a  random  polynomial 

C  is  irreducible  modulo  a  given  prime  p  is  only  about  1/n 

[KNU69,  Ex.  4.  6.  2-4]  and  by  the  Chinese  remainder  theorem  these 

mod  p  "trials"  are  independent,  so  an  average  of  about  n  trials 

would  be  required  to  prove  irreducibility. 

In  order  to  compute  the  degree  set  Dp  it  is  not  necessary  to 

factor  completely  mod  p.  One  can  use  the  "distinct  degree  factorization" 

algorithm  described  in  [  KNU 69,  p.  389]  and[COL69].  Given  a  monic 

squarefree  polynomial  A  over  GF(p),  this  algorithm  produces  a 

list  L  =  ((dj,  Aj), . . (dg,  Ag))  where  the  d.  are  positive  integers, 

d.  <  d_<  •  •  •  <  d  and  A,  is  the  product  of  all  monic  irreducible 
12  si 

factors  of  A  which  are  of  degree  d,.  Thus  A  =  A,  •  •  •  A  and  this 

i  Is 

is  a  complete  factorization  just  in  case  no  two  irreducible  factors  of 
A  have  the  same  degree. 
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From  the  list  L  it  is  easy  to  construct  a  list  A=  {6  ,6  ,...,6} 

b  r 

of  the  degrees  of  all  irreducible  factors  of  A,  and  from  A  one 
constructs  the  degree  set  D  of  degrees  of  all  factors  as  follows: 
put  D  =  {0 }  and  for  i  =  1, . . . ,  r  replace  D  by  D  U  {d  +  6  : d  t  D} . 
As  remarked  above,  the  time  to  compute  the  degree  set  from  A  is 
dominated  by  rn. 

Another  way  of  finding  A  without  performing  a  complete  factoriza¬ 
tion  of  A  would  be  to  perform  only  the  first  phase  of  Berlekamp's 
newer  algorithm,  in  which  a  matrix  of  polynomials  is  computed  in  a 
block  diagonal  form.  If  A  has  r^  irreducible  factors  of  degree  i, 
then  there  is  an  r.  x  r  block  of  polynomials  of  degree  i.  One  could 
compute  the  determinant  of  the  block,  which  is  the  product  of  all 
irreducible  factors  of  degree  i,  and  thus  obtain  the  distinct  degree 
factorization.  But  A  is  determinable  directly  from  the  matrix.  The 
computing  time  of  this  phase  of  the  algorithm  has  not  been  analyzed, 

but  it  is  possibly  faster  than  tile  distinct-degree  factorization  algorithm, 

3  2  2  3 

whose  time  is  dominated  by  n  (log  p)  +  n  (log  p)  . 

Of  course,  if  the  degree  tests  fail  to  establish  irreducibility,  then 
a  prime  p  is  selected  among  those  which  yield  the  smallest  number 
of  irreducible  factors,  and  the  complete  factorization  must  be  obtained 
for  this  prime.  With  the  distinct  degree  factorization,  this  is 
accomplished  by  applying  Berlekamp's  algorithm  to  each  for  which 
dj  *  deg(A.),  the  other  A,  being  irreducible  already.  If  the  first  phase 
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of  Berlekamp's  newer  algorithm  has  been  used,  then  one  merely  continue s 


with  the  rest  of  the  algorithm. 

4.2.  Computing  a  bound  on  the  coefficients  of  factors.  The  height 

of  a  polynomial  C(v  ,  . .  . ,  v  )  with  complex  coefficients  is  defined  to 

1  s 

be  the  maximum  of  the  absolute  values  of  the  coefficients.  We  saw  in 

Section  3.  5  that  in  order  to  fully  determine  the  true  factors  of  C(x) 

from  its  modulo  pJ  factorization  it  was  necessary  to  have  pJ/2  larger 

than  the  height  of  any  factor  of  C(x).  Thus  an  a  priori  bound  on  the  maximum 

height  of  factors  of  C(x)  is  required.  Typically,  the  height  of  every 

factor  of  C(x)  is  no  larger  than  the  height  of  C(x)  itself,  but  there  exist 

3  2 

polynomials  with  factors  of  larger  height,  e.g.  x  +  x  -x-l  = 

2 

(x  +2x-tl)(x-l).  An  excellent  bound  on  the  height  of  factors  which  is  based 
only  on  the  height  and  degree  of  C(x)  is  given  by  A.  O.  Gelfond  in  [  GEL60, 
pp.  13  5-140],  In  fact,  Gelfond  establishes  the  bound  for  multivariate 
polynomials  C(v  ,  .  .  . ,  v  )  =  C.(v. ,  .  . . ,  v  )  •  •  •  C  (v,,...,v):  if  n.  is  the 
degree  of  C  in  v^,  n  =  n^  +  •  •  •  +  ns>  and  H(C)  denotes  the  height  of 
C,  then 


H(C.)  •••  H(C  )  < 
1  m 


2nH(C)  . 


(1) 


Gelfond  shows  that  this  bound  is  essentially  realizable. 

In  the  univariate  case,  a  number  of  other  bounds  have  been  used,  as 
discussed  in  [MUS71,  Section  3.4]  and  [MIG74],  The  bounds  discussed  in 
[  MUS71  ],  however,  require  more  computation  with  the  coefficients  of  C(x) 
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than  (l),  yet  generally  give  a  much  larger  bound.  Mignotte  [  MIG74] 
improves  an  earlier  theorem  of  Gelfond  which  gives  a  bound  similar 
to  the  univariate  case  of  (l). 

4.3.  Hensel's  construction.  In  Algorithm  Q,  if  the  coefficients  of  the 

initial  values  of  A,  B,  S,  T  are  chosen  in  the  symmetric  residue  set 

{ - lp/2j, . . . ,  0, .  . . ,  Lp/2J }  and  in  Algorithm  S  the  coefficients  of  Y 

and  Z  are  chosen  in  the  symmetric  residue  set  =  {-[p*  /2J,  .  . . ,  [P* /2_|} 

then  it  is  easy  to  show  that  the  coefficients  of  A,  B,  S,  T  lie  in  R^. 

k  k-1 

Upon  termination,  we  have  i  =  2  >  j  >  2  for  some  k,  and  if  i  >  j, 

the  coefficients  of  A,  B,  S,  T  are  larger  than  necessary,  making  computa¬ 
tions  in  Algorithm  T  more  expensive  than  necessary.  This  may  be 
corrected  by  modifying  steps  2-4  as  follows: 

2.  [Done?]  If  i  =  j,  exit.  (This  exit  is  taken  only  if  j  =  1.) 

3.  [  Compute  Y,  Z.  ]  if  21  >  j,  set  q  —  p]/d,  A  •*-  A  mod  q, 

**  M 

B  «-  B  mod  q,  S  *-  S  mod  3.  T  -  T  mod  q,  taking  the  coefficients 

m  m  rw 

of  A,  B,  S,  T,  in  R~.  Otherwise,  just  put  q  —  q,  A  —  A, 

B  —  B,  S  -  S,  T  -  T.  Set  U  -  (C  —  AB)/q  and  apply 

(V  fV 

Algorithm  S  to  A,  B,  S,  T,  U,  obtaining  Y,  Z  £  Z[x]  such 
that  AY  +  BZ  =  U(mod  q)  with  coefficients  in  R~  and 
deg(Z)  <  deg(A). 

4.  [  Compute  A*,  B*  and  check  for  end.  ]  Set  A*  —  A  +  qZ, 
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B*  —  B  +  qY.  (Then  C  =  A*B::(mod  qq),  A*  =  A(mod  p), 

B*  =  B(mod  p),  | lc( A*)  |  <  p/2  and  the  coefficients  of  A* 
and  B*  are  bounded  by  qq/2.)  If  2i  >  j  (in  which  case 
qq  =  pJ),  set  A  —  A*,  B  —  B*  and  exit. 

This  modification  also  avoids  computing  S  and  T  at  the  last 
iteration,  since  they  are  not  used  in  further  computations. 

4.4.  Finding  true  factors.  There  are  two  modifications  of  Algorithm  3.8T 
which  can  be  of  very  significant  benefit  in  the  application  to  factoring 
univariate  polynomials  over  the  integers.  First,  one  should  add  as  an 
extra  input  the  set  £>  =  D  flD  0  •  •  •  0  D  computed  from  the 

P1  P2  pr 

mod  p.  degree  sets  and  append  the  test  "If  d  c  jG  ,  go  to  step  5.  " 
to  step  3.  This  may  greatly  reduce  the  number  of  cases  considered. 

Secondly,  a  "trailing  coefficient  test"  should  be  inserted  in  step 
4a: 

"a.  Set  t  —  c  TT  tc(H. )  mod  m,  t  t  R;  if  t  4  tc(C*)  then 
id  1 

continue  to  the  next  index  set.  Otherwise,  set  A*  —  •  •  •  ". 

Thus,  if  t  fails  to  divide  10(0*),  we  know  A*  cannot  divide 
C*  and  the  computation  of  A*  and  the  trial  division  of  C*  by  A* 
are  skipped. 

Except  in  rare  cases,  this  trailing  coefficient  test  will  in  fact 
eliminate  most  of  the  computations  of  A*  that  are  not  true  factors 
and  will  thus  greatly  reduce  the  average  computing  time  of  the  algorithm. 
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5.  Application  to  multivariate  polynomials  over  the  integers 


Suppose  now  we  are  given  a  polynomial  C  c  Z[  v^, . . . ,  v  ,  x] 

to  be  factored.  The  most  direct  way  of  applying  the  abstract  algorithms 

of  Section  3  to  this  problem  is  to  take  D  =  Z[  v^,  . . . ,  v  ]  and  the 

modulus  p  =  v  -  a  for  some  integer  a  .  That  is,  we  evaluate  C 

at  v^  =  a^,  thereby  obtaining  a  polynomial  C  €  E[x],  where 

E  =  Z[  Vj,  . .  . ,  v^  ]  (E  =  Z  if  n  =  1).  We  recursively  factor  C, 

resorting  to  the  univariate  algorithm  of  Section  4  when  all  of  the  v 

are  eliminated.  We  then  try  to  lift  the  factorization  of  C  to  a  correspond- 

j 

ing  factorization  of  C  modulo  (v  -  a  )  n  where  j  is  chosen  to 

n  n  n 

exceed  the  degree  of  C  in  v  .  Unfortunately  this  is  not  directly 

possible,  since  E  is  not  a  field  and  we  cannot  necessarily  find, 

corresponding  to  a  factorization  C  =  AB,  multipliers  S  and  T  t  E[x] 

such  that  AS  +  BT  =  1,  as  is  required  in  the  Hensel  construction. 

However,  if  we  back  up  and  take  D  =  Q(v^,  .  .  . ,  v^),  the  field  of 

rational  functions  of  vlf  ...,v  ,  we  still  have  C  e  D[xl,  p  =  v  -a  t  D 

I’  *  n’  J>  n  n 

and  C  -•  C(v.,  . . . ,  v  ..a  )  «  E[x],  where  now  E  =  Q(v.,  . . . ,  v  .) 

1’  ’  n-1’  n  J'  1*  '  n-1 

is  a  field  and  the  Hensel  construction  can  be  applied. 

The  problem  with  this  direct  approach  is  that  it  requires  many 
rational  function  computations,  which  are  generally  much  more  expensive 
than  computations  with  polynomials  (because  of  the  gcd  computations 
reouired  to  keep  results  in  lowest  terms). 


-36- 


#1445 


Another,  probably  better  approach  would  be  to  restrict  the 

coefficient  computations  to  D  *  Z[  v  , . . . ,  vr]  by  using  a  "trial  Hensel 

construction."  This  construction  uses  polynomials  S,  T  e  E[x]  and 

r  c  E  =  Z[  v . ,  v  .  ]  for  which  AS  +  BT  =  r,  in  an  attempt  to  find  a 

factorization  C  =  AB  (mod  (v  -  a  )  n),  A,  Be  D[x]  corresponding  to 

a  factorization  C  =  AB  (mod  v  -  a  ).  The  attempt  may  fail,  but  it 

n  n 

is  not  difficult  to  arrange  the  computation  so  that  the  construction  is 
guaranteed  to  succeed  if  A  and  B  correspond  to  actual  factors  of  C. 

This  approach  has  the  drawback  that  the  polynomials  S  and  T  must 
be  obtained  independently  (by  a  version  of  the  Extended  Euclidean 
Algorithm) . 

The  algorithm  to  be  discussed  in  this  section  avoids  these  problems 

by  using  a  generalization  of  Hensel's  construction  which  works 

simultaneously  with  several  moduli.  We  take  D  =  Z[  v  ,  . . . ,  Vfi] 

and  moduli  p  (a  prime  integer)  and  v.  -  a  ,  •  •  • , v  -a  .  Thus 

1  1*  ’  n  n 

C  =  C(aj,  .. . ,  a^,  x)  mod  p  is  a  univariate  polynomial  in  E[x],  where 

E  =  GF(p)  as  in  the  univariate  case.  A  factorization  C  =  AB  can  be 

j  jl  jn 

lifted  to  a  corresponding  factorization  C  =  AB  (mod  p  ,  (v^  -  a^)  , . .  . ,  (v  -  a^)  ), 
A,  B  t  D[x]  by  the  generalized  Hensel  construction.  This  construction 
works  entirely  with  polynomials  with  integer  coefficients  (no  rational 
function  operations)  and  increases  the  moduli  quadratically. 
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The  abstract  algorithms  of  Section  3  have  been  stated  only  for  a 


single  modulus,  but  we  shall  describe  in  this  section  the  changes  and 
additional  algorithms  necessary  to  generalize  to  several  moduli. 

5.1.  Choice  of  evaluation  points.  Given  C  t  Z[  v^,  .  . . ,  v  ,  x]  we 
first  reduce  to  the  case  in  which  C  is  primitive  and  squarefree  as  in 
Sections  3.1  and  3.2.  Note  that  for  the  assumed  algorithm  for  factoring 
the  content  of  C  in  D  =  Z[  v^, . . . ,  v^]  we  just  apply  our  multivariate 
algorithm  recursively  with  one  fewer  variable. 

Next  we  choose  integers  a  such  that  the  univariate 

integral  polynomial  C(x)  =  C(a  , . . . ,  a^, x)  has  the  same  degree  in  x 
as  C  and  is  squarefree.  The  following  algorithm  first  chooses  a^ 
trying  0,  ±  1,  ±  2, . . .  until  finding  a  value  such  that  A  =  C(v^, . . . , v^  a^,  x) 

has  the  same  degree  in  x  as  C  and  is  squarefree.  In  the  same  way, 
an  i>  •  •  • »  ai  are  chosen  so  that  the  evaluated  polynomial  remains  of  the 
same  degree  and  squarefree  at  each  stage. 

1.  [Initialize.]  Set  C  — C,  k-*-n. 

2.  [  Prepare  to  choose  a^.  ]  Set  a  *-  0,  c  *- lc(C). 

3.  [Evaluate  c  and  C  at  =  a].  (Now  Cc  Z[  ,  v^,  x], 

deg  (C)  =  deg  (C),  C  is  squarefree,  and 

X  X 

c  =  lc(C)  *  Z[vJf  ...fvk].)  If  C^, . .  . ,  vkl,  a)  =  0,  go 

to  step  4.  Otherwise,  set  A  —  C(Vj, . . . ,  v^,  a, x)  e  Z[  v  ,  . . . ,  v^^,  x] 

B  *-  gcd(A,  aA/ax).  If  deg  (B)  >  0  (in  which  case  C  is  not 

X 
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squarefree),  go  to  step  4.  Otherwise,  set  -  a,  k  *-k  -  1, 

A* 

C  *-  A.  If  k  >  0,  go  to  step  2;  otherwise,  exit. 

4.  [Try  again.]  If  a  >  0,  set.  a  *- -a;  otherwise,  set  a  ■*- 1  -  a. 

Then  go  back  to  step  3. 

Termination  of  this  algorithm  can  be  shown  by  considering  at 
step  3  the  discriminant  of  C,  which  is  an  element  of  Z[  v^,  . . . ,  v^ ] 
and  can  be  divisible  by  only  finitely  many  linear  polynomials  v^  -  a^. 

In  the  ideal  case,  this  algorithm  chooses  all  of  the  a^  equal  to 
zero  and  the  coefficients  of  C  are  just  the  constant  integer  terms  of 
the  coefficients  (in  Z[  v^, . . . ,  ])  of  C.  In  case  one  or  more  of  the 

a^  cannot  be  chosen  to  be  zero,  we  have  a  problem  of  potentially  serious 
coefficient  growth  with  each  ai  *  0,  and  the  coefficients  of  C  might 
be  huge.  Although  this  problem  has  not  been  analyzed  in  detail,  it 
seems  unlikely  that  the  problem  would  appear  except  very  rarely. 

5.2.  Choice  of  a  prime  and  factorization  over  GF(p).  We  can  now 
choose  a  prime  p,  put  C  =  C  mod  p,  and  factor  C  completely 
over  GF(p),  thus  obtaining  a  factorization  of  C  modulo  p,  v^  -  a^, . . . ,  v^  -  a^. 
In  this  factorization,  however,  we  again  have  the  problem  of  the  likelihood 
of  there  being  several  factors  corresponding  to  each  irreducible  factor 
of  C.  We  can  avoid  this  problem,  except  in  rare  cases,  by 
considering  the  complete  factorization  of  our  univariate  polynomial 
C(x).  Suppose  that  the  numerical  coefficients  of  each  factor  F^  of  C 


#1445 


-39- 


are  random  integers  and  that  the  evaluation  points  aj,  .  . . ,  a  result 
in  the  factors 

?k(x)  =  Fk(ar  ...,an,x) 

having  random  integer  coefficients.  Since  almost  all  polynomials  over 
the  integers  are  irreducible  (see  [KNU69,  Ex.  4.6.2-27]),  it  is  highly 
nrobable  that 


is  the  complete  factorization  of  C  .  Thus,  if  we  obtain  the  complete 
factorization  of  C ,  we  will  only  rarely  have  any  more  factors  than 
in  (1),  in  contrast  to  the  case  with  complete  factorizations  over  GF(p). 

Therefore,  our  procedure  is  this:  factor  pp(C)  completely,  using 
the  univariate  case  algorithm,  obtaining 

C  =  c- pp(C)  =  c-Cj  •••  Cr>  c  =  content  (C). 

If  r  =  1,  then  C  is  irreducible  and  we  are  done.  Otherwise,  choose 
a  prime  p  such  that  C  =  C  mod  p  has  the  same  degree  as  C  and 
is  squarefree  modulo  p.  Then,  instead  of  factoring  C  completely 
over  GF(p),  just  put 

&k  =  Ck  mod  p 

Gk  e  lc(Gk)_1  Gk(mod  p) 

so  that 


C  =  cG,  •  •  •  G  (mod  p,  v  -  a, , 
1  r  1  1 

c  =  lc(C),  Gk  monic, 


(2) 
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Thus  we  have  only  a  partial  factorization  of  C  modulo  p,  v^  -  aj*  • •  • » vn  "  an> 
but  one  which  does  satisfy  our  partition  requirement  (Section  2,  step  3): 
suppose  {1, . . . ,  q }  is  the  disjoint  union  of  index  sets  1^,  .  . . ,  Ir 
such  that 

FkS£k,TI  ei(modVal . vn-an>-  fk‘  Z' 

1Uk 

Then 


Fk  h  ic(Fk)  TT  Gi(modp,v1-a1,...,vn-an). 


i  c  I 


Thus  the  factorization  (2)  can  be  used  as  a  basis  for  constructing  c 
j  jl  Jn 

mod  %  =  (p  ,  (v,  -  a.)  , . . . ,  (v  -  a  )  )  factorization  from  which  the 

M  1  1’  ’ '  n  n 


true  factors  Fk  can  be  determined,  and  we  can  see  that  by  the  way  (2) 
was  obtained  we  will  usually  have  only  one  mod  %  factor  corresponding 
to  each  true  factor. 

Although  the  univariate  factoring  algorithm  determined  some  prime 
in  the  process  of  factoring  C,  it  is  not  necessary  to  choose  p 
equal  to  this  prime.  It  is  better  now  to  choose  a  large  prime  (since  we 
don't  have  to  worry  about  finding  a  complete  factorization  mod  p)  to 
reduce  the  number  of  Hensel  construction  iterations.  We  could,  by 
choosing  p  large  enough,  eliminate  entirely  the  phase  of  the  construction 
which  lifts  from  p  to  p^,  but  this  might  mean  that  p  would  be  a 
multiple  precision  integer  and  all  of  the  mod  p  arithmetic  during  the 
other  phases  of  the  algorithm  would  be  multiple  precision.  The  best 
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course  would  seem  to  be  to  choose  p  as  large  as  possible  while 
constrained  to  be  in  single  precision  integer,  on  the  machine  on  which 
the  algorithm  is  implemented. 

5.3.  Generalized  Hensel  construction.  Algorithm  3.7Q,  the  Quadratic 
Hensel  construction  for  a  single  modulus,  may  be  regarded  as  an 
algorithm  for  lifting  a  factorization  from  one  residue  class  ring  to 
another:  let 

E+  =  D/(pJ) 

E  =  E+/(P)  =  D/(p). 


Given 

C  =  AB,  AS  +  BT  =  1,  A  monic  in  E[  x] , 

Algorithm  3.  7Q  obtains 

C  =  AB,  AS  +  BT  =  1,  A  monic  in  E+[x], 

A  =  A  and  B  E  B(mod  p). 

In  this  construction  D  is  only  required  to  be  a  commutative  ring  with 
identity,  and  thus  can  itself  be  a  residue  class  ring  of  the  same  form 
as  E+.  This  suggests  we  can  generalize  the  construction  to  any 


number  of  moduli.  To  do  so,  suppose  p^, . . . ,  p^  e  D,  j^, 

Ji 

positive  integers  and  m  =  pi  ,  1  <  i  <  k.  Define 

D0  =  D/(pr  •  •  • ,  Pk) 

Dr  =  D/(mlf  P2,  •••,Pk) 

D2  =  D/(mlf  m2,p3,  •••,Pk) 


,  Jk  are 


Dk  =  D/(mlf  .  ..,mk), 
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and  note  that  D,  =  D,  ,./(p, , .),  0  <  i  <  k  -  1.  Given 
1  i+1  l+l  ~  ~ 


c  =  Vo-  A0S0  +  B0T0  =  *>  Ao  monlc  ln  Do[x!> 

we  perform,  for  i  =  0, 1, . . . ,  k  -  1,  Algorithm  3.70  with  E  =  D  , 

E+  -  Di+i’ p  =  «w 1  -  W-  llftlng 

C  =  A.B.,  A.S,  +  B,T.  =  1,  A,  monic  in  D.[x], 
l  i’  l  i  i  i  l  i 

to 


0  =  Ai+iBiti'  Ai«si+i +  BitiTi+i =  *> A-  monic  ln  D-'[xl- 


i+1 


i+ll 


A1+iEAi  and  Bl+r  B1(modpi+i)' 


We  obtain 

C  =  W  \Sk  +  BkTk  =  l*  \  monIc  in  D]J 

Ak  =  A0  and  Bk  =  BQ(mod  p^  p£,  . . . ,  pR). 

To  apply  this  to  multivariate  factorization,  take  D  =  Z[  Vj,  .  . . ,  v^], 

ii 

k  =  n  +  1,  pa  =  vi  ~  ai»  mi  =  (vi  ’  for  1  ^  1  ~  n*  and  Pn+i  =  p 

(prime  integer).  For  simplicity,  assume  all  of  the  ai  are  zero.  Thus 


Do 

N 

ii 

.,vn]/(vr  .  ..,vn,p)  =  GF(p) 

D1 

n 

< 

• ,  vnJ/(mj»  v2*  *  *  • »  V  p*  =  GF^p)^  vJ/(nV 

°2 

ii 

Nl 

< 

H- * 

•»  vnl/(rn1»m2,  v3,  . .  -»vn,p)  =  GF(p)[  v1,v2J/(m1,m2) 

D 

n 

=  Z[  vJt . . 

'  ,Vnl/^mr  •••’mn’  p)  =  GF(P)t  vi»  ’  •  •»  Vn^nY  ’  ’  *  *mrJ 

Dn+1  =  ZE  vjl»  *  *  * »  vn)/(m1,  ...,mn,pJ). 


We  thus  start  with 

C  =  AqBq,  AqS0  +  BqT0  =  1,  Aq  monic  in  GF(p)[x] 
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and  finish  with 


C  *  An+lBn+l’  An+lSn+l  +  Bn+lSn+l  =  An+1  monlc  ln  Z[vl . vn1/(m1 . mn'pi> 

An+1  5  A0  and  Bn+1  $  B0(mod  V1 . v„'p)- 

To  simplify  the  computation  at  each  stage,  it  is  best  to  reduce  C  to 
in  Djx]  initially:  Put  Cn+j  =  C  t  Dn+^[x]  and  for  i  =  n,  ...,0 


let 


Then 


hence 


ci =  ci+i  mod  pi+i  •  Di[x| 


°i s  c,+i 


—  •  •  • 


"  Cn+1  =  0(raod  pi+l . pn+l> 


Ct  =  C  in  Djx], 


so  we  can  use  Ci+^  in  place  of  C  when  lifting  from 


to 


cm  =  ci  -  AiB!  ln  Dilxl 

Ci+1  *  Al+lBi+l  ln  Di+l^x^ 


For  example,  it  is  only  necessary  to  use  t  Dj[x]  =  GF(p)[  v^,  x]/(nij) 
when  i  =  0. 


Going  back  to  the  abstract  case,  let  us  write  £>  for  the  domain 
used  in  Algorithm  3.7 Q,  to  avoid  conflict  with  our  current  use  of  D; 
thus 

E+  =  fi/(pJ) 

E  =  E+/(P)  =  MP)* 

Now  consider  the  operations  performed  in  Algorithm  3.7Q:  these  are 


-44- 


#1  44  S 


operations  in  t>,  so  we  must  consider  the  structure  of  6  in  the 
application  of  the  algorithm  with  E+  =  D^+j,  E  =  D^.  We  see  that  we 
should  take 

«  =  *>i+1  =  D/(mlt  •  •  • ,  ny  pi+2 . pk) 

since  this  gives 

js.+j/(pi+i>  =  D/(mi . mi-pm’pi*2 . pk>  =  Di  =  E 

®ltl/(mi+l)  =  D/(ml . ml-Vl’Pl+2 . Pk)=  Dltl  =  E+ 

as  required. 

In  the  application  to  D  =  Z[  v  , . .  • ,  vnJ,  we  see  that  we  must 
be  prepared  to  perform  Algorithm  3.7 Q  with  coefficient  arithmetic  in 
the  domains 

=  Z[vA . vn]/(v2,...,vn,p)  =  GF(p)[v1] 

=  Z[v1,...>vn]/(mllv3 . vn,p)  =  GF(p)[v1,v2]/(m1) 


«n  =  z[v1*...»vn]/(m1,  ...,mnl,p)  =  GF(p)[v1, . .  .,vn]/(m1,  .  .  .,mn_1) 
fin+l  =  Z[v{ . vn)/(m1»  *  *  *  »mn)- 

Since  the  m^  are  powers  of  the  v^  ,  arithmetic  in  these  domains 

can  be  regarded  as  truncated  power  series  operations.  For  example,  we 

multiply  two  elements  of  &  with  an  algorithm  which  drops  terms 

n+1 

with  degree  at  least  in  any  variable  v^  .  This  assumes  that  the 
evaluation  points  a^  are  all  zero;  otherwise  the  reduction  mod(v^  -  a^) 
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would  actually  require  a  division  by  (v^  -  a^)  .  Therefore,  if  any 

of  the  ai  are  non-zero,  it  is  probably  best  to  translate  the  given 
polynomial  C(v ^ , . . . ,  vn,  x)  to 

C’<vl . Vx)  =  C{Vl  +a1,..;>vn  +  an>X)> 

and  factor  C*  .  If  the  complete  factorization  of  C*  is  F*  ■  •  •  F* 

1  q 

then  that  of  C  is  F  •  •  •  F  ,  where 

1  Q  ’ 

Fi'vl . vn-x)  *  F‘(V1  'al . vn'  Vx)  • 

5.4.  Generalization  of  other  algorithms.  The  algorithm  of  Section  3.6, 

for  lifting  several  factors,  may  now  be  generalized  to  several  moduli: 

all  that  is  required  is  to  substitute  the  generalized  Hensel  construction 

for  the  single  modulus  Algorithm  Q  in  step  4.  Similarly,  Algorithm  3.8T 

generalizes  to  several  moduli  with  no  difficulty.  The  theorems  of 

Section  3.9  must  also  be  generalized,  but  this  is  also  straightforward. 

The  following  theorem  generalizes  Theorem  3.9Q. 

Theorem  G.  Let  D  be  a  commutative  ring  with  identity;  p  , . . . ,  p 

jl  \ 

be  elements  of  D  which  are  not  zero-divisors;  m  =  p,  , . . . ,  m.  =  p. 

1  1  ’  *  k 

for  some  positive  integers  j^, . . . ,  p  =  (p^ , . . . ,  p^);  m  =  (m^ , . . . ,  m^)  . 
Let  A,  B,  A  ,  Bj  t  D[x]  satisfy 

a.  Aj  Bj  =  AB(mod  m); 

b.  deg(Aj)  =  deg(A)  and  lc(  )  =  lc(A)  =  1; 

c.  Aj  =  A  and  B^  =  B(mod  p); 

d.  AS  +  BT  =  l(mod  p). 


Then  A^  s  A  and  B^  =  B(mod  m). 
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Proof:  By  induction  on  k.  If  k  =  l  then  the  theorem  follows 
from  Theorem  3.90*  Assume  k  >  1  and  let 

Dq  =  D/(p  j  *  •  •  •  t  P^) 

Dk-i =  D/(mi . mk-i-pk> 

Dk  =  D/(mlf  •  ..,mk)  . 

Then  DQ  =  Dfc_  /(p . Pk_j)  and  by  a-d  we  have,  in  Dk  [x], 

a'.  AjBj  =  AB 

b'.  deg(AJ)  =  deg(A),  lc^)  =  lc(A)  =  1 
c'.  A^  =  A  and  Bj  =  B(mod  Pj » •  •  • »  Pk  j) 
d'.  AS  +  BT  =  l(mod  . pk  ). 

By  the  induction  hypothesis,  we  therefore  have  A  =  A  and  B^  =  B 
in  Dk_1[x].  Now  since  =  Dk/(pk)  we  have 

A^  ?  A  and  B^  =  B(mod  pk) 

in  Dk[x].  The  generalized  Hensel  construction  gives  Sk  and  Tk 
satisfying 

ASk  4  BTk  .  1 

in  D  [ x] .  We  also  have  a'  and  b'  in  D  [x],  so  Theorem  3.7 Q  applies 

and  we  conclude  that  A  =  A  and  B  =  B  in  D.  [x],  as  desired. 

1  1  k 


Now  Theorem  3.9T  can  be  generalized  by  merely  substituting 


Pj,...,Pk  and  jj,...,jk  for  P  and  j  and  nij,...,mk  for  m  in 
its  statement  and  proof,  and  invoking  Theorem  G  in  place  of  Theorem  3.90. 
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6.  Summary  and  conclusions 


By  means  of  abstract  algorithms  we  have  presented  the  algebraic 
theory  underlying  the  essential  steps  of  a  "Berlekamp-Hensel"  algorithm 
for  factoring  integral  polynomials,  including  squarefree  factorization, 
choice  of  moduli,  Hensel's  construction,  and  searching  for  true  factors. 

The  basic  ideas  of  the  univariate  case  algorithms  have  appeared  previously 
in  the  literature  but  are  presented  here  in  greater  detail.  A  practical 
basis  for  a  multivariate  case  algorithm  is  aJs  >  riven  in  the  generalized 
Hensel  construction. 

Beyond  the  algebraic  theory,  we  have  gone  into  detailed  considera¬ 
tion  of  improvements  which  can  be  made  in  the  basic  algorithms  and 
comparisons  between  various  alternative  ways  of  implementing  particular 
steps.  In  the  univariate  case,  the  most  significant  of  these  considera¬ 
tions  related  to  the  choice  of  a  prime,  the  degree  compatibility  tests, 
and  the  trailing  coefficient  test  in  the  true  factor  testing  algorithm.  In 
the  multivariate  case,  we  noted  the  importance  of  the  translation  to  make 
the  evaluation  points  all  zero  and  of  the  univariate  factorization  to  reduce 
the  number  of  extraneous  factorizations  considered. 

A  number  of  interesting  open  problems  have  been  noted,  including 
the  existence  of  an  algorithm  for  factoring  integral  polynomials  with  a 
polynomial  bounded  computing  time,  the  average  computing  time  of  the 
univariate  Berlekamp-Hensel  algorithm  for  classes  of  reducible  polynomials, 
and  the  maximum  and  average  computing  times  of  the  multivariate  algorithm. 
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